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DETAILED ACTION 

1 . The amendment and remarks therein, received on 4/08/08 have been entered and 
carefully considered. 

2. The drawings received on 3/10/08 have been accepted and, the objection to 
drawings is withdrawn. 

3. The amendment to the specification received on 3/10/08 has been accepted. 

4. The IDS received on 6/16/08 has been accepted and considered. 

5. The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior office action. 

6. In light of applicant's amendment and arguments the 35 USC § 1 1 2 rejection is 
withdrawn. 

Response to Amendment 

7. The main argument raised by the applicant is that the art of record (e.g. Doyle) does 
not suggests that "this validation process is delayed based on the specific criterion of 
a predetermined amount of traffic being passed through the port " and as a result it 
fails to teach the newly added limitation "wherein said learning is delayed from a 
time of receipt of the first data packet until a predetermined amount of traffic has 
passed through the port ". 

The examiner acknowledges the missing limitation in Doyle's invention but points out 
that configuring network devices to delay a particular action, in particular network 
communication, which inherently resolves in a predetermined amount of traffic to be 
passed through the port (in the network communicating device) is old and well 
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known in the art of computers. Due to potentials errors or simply inability of a 
network device to send a request or receive a respond to a request, network devices 
are frequently set by default or by an administrator to delay in case a particular event 
cannot occur. 

Additionally, note that different processes have different priorities (also setup by 
default or administrators) that which result in delays of processes with lower 
priorities when higher priority processes execute. 

Lastly, in order to avoid a single point of failure, today's networks frequently use a 
plurality of devices offering the same functionalities (e.g. DHCP, DNS and firewall 
servers, etc.) and utilizing of such devices storing routing/network configuration data 
(such as DHCP, DNS and firewall table entries) requires synchronization which 
inherently involves time delay. 
8. As per newly introduced claim 23, applicant argues that the art of record (Doyle, 
Rayes, Whelan, and/or Sawada) does not disclose that "the network device includes 
a timer configured to clear the table of one or more source IP addresses at 
predetermined time intervals". Also, in the Remarks/Arguments (pg. 15) applicant 
clearly defines the interpretation of the content addressable memory and argues that 
according to this interpretation, the previous Office Action fails to teach "wherein the 
table is stored in an access control list of a content addressable memory device ". 
This Office Action addresses these arguments below. 



9. Claims 1,3-9, 11-13, 17-18 and 20-25 have been examined. 
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Claim Objections 

10. In claim 23, a letter "s" in the phrase: "... the network device includes a s timer..." 
should be deleted or changed to "system". 

Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

11. Claims 1,4-9, 11-13, 17-18, 20-25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Doyle (U.S. Patent No. 7134012) in view of Woundy (USPN 
6009103). 

As per claims 4, 17, 24 and 25, Doyle discloses a network device comprising a port 
(e.g. Fig. 1), receiving a first data packet on the port, the first data packet including a 
first MAC address and a first source IP address (see Fig. 6); determining if the first 
MAC address is a new MAC address that is not included in a table of the network 
device, the table configured to store a plurality of source IP address and MAC 
address pairs; learning, wherein the first MAC address and the first source IP 
address form a first source IP address and MAC address pair (Fig. 6, step 610 and 
associated text, for example). 

12. As per newly introduced limitations, Doyle discloses the use of a single DHCP 
server, thus the use of only a single table of the network device. When the IP/MAC 
address is not found in the table the data packet is discarded (step 620, for 
example). As a result, Doyle does not disclose learning the first source IP address if 
the first MAC address is a new MAC address. 
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Woundy discloses a plurality of DHCP, which inherently comprise a plurality of 
IP/MAC address pairs tables (Woundy, col. 1 lines 58-61). It would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to 
include a plurality of DCHP servers and, as a result a plurality of tables comprising 
IP source addresses as disclosed by Woundy given the benefit of eliminate a single 
point of failure. 

An ordinary artisan would readily recognize, as also indicated by Woundy, a plurality 
of devices, such as DCHP servers, must be synchronized for all the devices to have 
current table entries, consistent with all other devices and that the process of 
synchronization inherently causes a delay. During the delay, depending on the 
LAN's type and bandwidth from the type of a time of receipt of the first packet until 
device's learning of the first source IP address, a predetermined amount of traffic 
inherently passes through the port. 
13. As per claims 1 and 22, Doyle discloses receiving a plurality (e.g. a second, third, 
etc.) data packets on the port, determining if the second MAC address for second 
data packet is a new MAC address and when the second MAC address for the 
received second data packet is determined to be a new MAC address, learning the 
source IP address for the second MAC address, wherein the second MAC address 
and the learned soured IP address form a second IP address and MAC address pair 
and storing the second IP address and MAC address pair in the table (col. 9 lines 
44- 64). 
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14. As per claims 5 and 18, the table reads on Access Control List (it is used to filter 
data) and in order for the device to access the entries, the table inherently must be 
stored in memory, but Doyle in view of Woundy do not explicitly the user of a content 
addressable memory. 

However, the use of a content addressable memory is old and well known in the art, 
(see Mate USPUB 2003/0056001 , paragraph 6, for example), and it would have 
been obvious to one of ordinary skill in the art at the time of applicant's invention to 
incorporate the content addressable memory given the benefit of efficiency. 

15. As per claim 8, Doyle does not explicitly disclose an administrator selecting the 
maximum number of source IP addresses. 

Official Notice is taken that configuring computers by administrators (e.g. determine 
selection of values, e.g. ports) is old and well-known practice in the art of computing 
(e.g. DHCP scope administration). One of ordinary skill in the art at the time of 
applicant's invention would have been motivated to allow administrators to configure 
computers giving the benefit of network customization. 

16. As per claims 6-7, Doyle does not disclose determining and removing the source IP 
address from the table when it is determined that the device having the IP address is 
no longer coupled to the port. 

Any data structure, including tables, have a finite size and as a result, a finite 
amount of data can be stored in the structure. Furthermore, an ordinary artisan in 
the art of computer science would recognize increasing amount of data to be 
searched increases search time. 
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Lastly, monitor activity of computer processes, including network connections and 
terminate inactive activities is well known in the computer science (e.g. U.S. Patent 
No. 6338089). 

Thus, removing a source IP address, of a device not coupled to the port, from the 
table would have been obvious to an ordinary artisan given the benefit of system's 
efficiency. 

1 /.Additionally, as per claims 11-13 and 20-21 discarding data packet received at a port 
reads on blocking the data packet. 

18. Also, as per claim 23, Doyle in view of Woundy do not disclose a timer configured to 
clear the table of one or more source IP addresses at predetermined time. 
However, clearly tables of one or more entries after a predetermine time is old and 
well known in the art of computer science (e.g. see USPUB 2003/0043763 
paragraph 34 or textbooks related to cache entries). 

19. As per claim 9, Doyle in view of Woundy do not explicitly disclose that the network 
device comprise a plurality of ports. However, utilizing a plurality of ports in a 
network device is old and well known in the art of computer networking (see USPN 
6907470 or any TCP/IP textbook, for example), and it would have been obvious to 
one of ordinary skill in the art at the time of applicant's invention to incorporate a 
plurality of ports given the benefit of multiple connections. 

Furthermore, Doyle in view of Sawada Doyle in view of Woundy do not explicitly 
disclose receiving input from a system administrator which selects ports of the 
plurality of port will be provided based on a source IP address and MAC address 
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pair contained in a data packet. Official Notice is taken that configuring computers by 
administrators (e.g. determine selection of values, e.g. ports) is old and well-known 
practice in the art of computing (e.g. DHCP scope and firewall administration). One 
of ordinary skill in the art at the time of applicant's invention would have been 
motivated to allow administrators to configure computers giving the benefit of 
network customization. 
20. Claim 3 is rejected under 35 U.S.C. 103(a) as being unpatentable over Doyle (U.S. 
Patent No. 71 3401 2) in view of Woundy (USPN 60091 03), and further in view of 
Whelan (U.S. Pub. No. 20040003285). 
Doyle in view of Woundy disclosure has been discussed supra. 
Doyle in view of Woundy do not disclose performing a reverse IP check to confirm 
the learned source IP address. 

Whelean discloses performing a reverse IP check to confirm the IP address 
(Whelean [0036]). It would have been obvious to one of ordinary skill in the art at 
the time of applicant's invention to perform a reverse IP check to confirm the IP 
address. One of ordinary skill in the art would have been motivated to perform such 
a modification in order to identify rogue access (Whelean [0036]). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571 ) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/Peter Poltorak/ 

Examiner, Art Unit 2134 
/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 



